Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Adobe Patches Critical Photoshop Flaws in Unscheduled Update

The two vulnerabilities are critical remote code execution flaws that exist in Adobe Photoshop CC.

Adobe hurried out unscheduled patches today for two critical flaws that could enable remote code-execution in Photoshop CC.

The patches impact two memory corruption vulnerabilities in Adobe Photoshop products, including Photoshop CC 2018 (v 19.1.6) and Photoshop CC 2017 (v 18.1.6), both for Windows and macOS. The release comes only a week after the company fixed a slew of glitches last Patch Tuesday.

“Adobe has released updates for Photoshop CC for Windows and macOS,” the company said in a Wednesday security bulletin. “These updates resolve critical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions, as well as 18.1.5 and earlier 18.x versions. Successful exploitation could lead to arbitrary code-execution in the context of the current user.”

Both vulnerabilities (CVE-2018-12810) and (CVE-2018-12811) are critical remote code-execution flaws, according to the advisory, but further details around both flaws are not available.

Kushal Arvind Shah of Fortinet’s FortiGuard Labs was credited with reporting the two flaws.

Adobe said impacted users need to apply the fixes to the affected versions of Photoshop by updating to version 19.1.6 (via the applications’ update mechanism).

The release is unscheduled and follows on the heels of Adobe’s August Patch Tuesday updates. Last week, Adobe released 11 total fixes for an array of products, including two critical patches for Acrobat and Reader for Windows and macOS. Exploitation of those two vulnerabilities could lead to arbitrary code execution in the context of the current user.

Adobe said in an email that it is not aware of any exploits in the wild for the flaws. The update is a priority 3 in severity, meaning that it resolves vulnerabilities in a product that has historically not been a target for attackers, according to the company’s ranking system.

“This release is out of band for Adobe’s typical release schedule which would make you think there was a bit more urgency around the two critical vulnerabilities being resolved, but the priority for the update was rated at a priority 3,” Chris Goettl, director of product management for Ivanti, told Threatpost. “Typically a release with critical vulnerabilities being resolved would have been a priority 2 or if the vulnerabilities are known to be exploited in the wild it would be a priority 1. In this case I would expect there may have been a disclosure deadline and the release did not make this month’s typical release cycle but needed to release before September’s release cycle.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.